How do I fix an error 403 when loading Fathom Analytics’ script.js with CSP in place?

Question

I have a strict CSP (Content-Security-Policy) in place, allowing the Fathom Analytics script.js to be loaded from a custom domain.

In the .htaccess on Apache:

script-src 'self' 'nonce-%{UNIQUE_ID}e' my-custom-domain.example.com;

Application layer:

<script src="https://my-custom-domain.example.com/script.js" data-site="ABCDEFGH" defer nonce="<?php echo $_SERVER['UNIQUE_ID']; ?>"></script>

It always returns “loading failed” with an error 403 in the console.
The nonce was introduced for testing, as I thought, that might solve the problem. It doesn't. (I know, I know, this is not the most secure method to use a nonce.)
I have tried variants of the custom domain, too (with protocol, without protocol, wildcard subdomain, …).

Turning off the CSP “fixes” the issue. Meaning, the 403 only kicks in, when the CSP is active.

I am relatively new to CSPs and don't know, how to proceed.
Any suggestions are appreciated.

Answer 1

Right after reaching out publicly I found the solution:
I had to get rid of the “Referrer-Policy” directive—or rather provide an empty one like so: Header always set Referrer-Policy "" .
After doing that, make sure to employing rel="no-referrer" on all external links instead.

Also I had to add the custom domain to the img-src directive (on top of the script-src one).
The nonce is not necessary to make this work.